Back to skill
Skillv1.0.1
VirusTotal security
taskleef · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:06 AM
- Hash
- 0bde8e6f791ff6f58fc1743a16d569afcfa9d6933bd6279b6970752d1824750e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: taskleef Version: 1.0.1 The skill is classified as suspicious due to its installation process, which involves downloading and executing an external binary (`todo` CLI) from `https://raw.githubusercontent.com/Xatter/taskleef/main/taskleef-cli/todo` as specified in `SKILL.md`. This introduces a supply chain risk, as the integrity of the external GitHub repository and the downloaded executable is critical. Additionally, the skill requires and handles a sensitive `TASKLEEF_API_KEY` environment variable, which, while necessary for its stated purpose, adds to the overall risk profile.
- External report
- View on VirusTotal